If you attended last year, you saw the excitement and enthusiasm from staff, speakers and attendees. If you were unable to attend, you’re in luck – you can watch some of the top sessions from 2017’s Security Congress online! Below is a list of the sessions currently available – and we’ll keep adding them as we get closer to the 2018 event.

This panel conversation on one of the hottest topics in cybersecurity – the skills shortage – took place during the first day’s luncheon. The session was attended in person by 800 cyber pros. Gary Beach, author of The U.S. Technology Skills Gap, served as moderator. The panel was made up of Brandon Dunlap of Amazon, Donald W. Freese, deputy assistant director for the FBI, our own CEO David Shearer, CISSP, and Deidre Diamond, founder and CEO of CyberSN and #brainbabe. Cybersecurity is a fairly new industry – and it’s critical to all businesses, so without a built-in backfill, how can we fill the growing number of open jobs? The panel discusses solutions – including early childhood education, government programs, on-the-job trainings, internships and more. Brandon Dunlap on training your staff: “If you can build that relationship and make that investment, you can keep them for life.”

The opening keynote for the 2017 Security Congress event was a “fireside chat” about cybercrime with Donald Freese and Brandon Dunlap. Donald discussed the importance of terminology (“risk vs. threat” and “probability vs. possibility”) and learning the languages of the other departments you’re working with. Emphasizing collaboration and outreach within your own organization, Donald also talked about the accessibility of the FBI (through various regional offices, as well as FBI Twitter) and the value of building relationships with your local agencies before there is an issue to report.

Deidre Diamond is a powerful voice in the cybersecurity industry. She is the founder of CyberSN – a cybersecurity staffing agency – and the #brainbabe movement to replace “booth babes” with STEAM students at conferences and conventions. She spoke to a crowded room about the 500,000 unfilled cyber jobs and what those of us already in the field can do to help fill the gap. She referenced the 2017 Global Information Workforce Study’s findings that the percentage of women in the field remained stagnant at 11 percent, as well as research showing that 56 percent of women in tech are leaving inside 10 years. Aside from the lack of women in cybersecurity, there are other ways that the industry can grow – and that involves shaking the stereotype of the hoodie-clad man in the basement. Cybersecurity jobs involve so much more than simply “hacking,” and it’s time to come together to see how we can work together to recruit new and unique talent to this exciting and lucrative field.

Our own COO Wes Simpson led a Birds of a Feather session where he talked about how (ISC)² has been transitioning to a 100% cloud-based services model. The interactive discussion starts with the how and why our organization made the choice to go all in with the cloud – and of course, how our team ensured that security would be front and center throughout the entire process. Using a DevSecOps approach, our IT team restructured, and grew quite a bit, to focus on accomplishing our mission of “Digital-End-To-End” (DETE) revamping of our online presence. If you are preparing for a move to the cloud, or even if you’re in the midst of the journey, this session is a must-watch.

Paul Oakes, CISSP-ISSAP, CCSP, CSM, CSPO, AWS PSA, is a senior enterprise security architect for TD Bank. He has 16 years of Agile experience and 20 years of security experience, working in the cloud for the past 10. He teaches courses on Agile, as well as security, and delivers a conceptual roadmap for cloud security professionals to use as a guide to tackle their day-to-day tasks of securing their cloud, or transitioning to a cloud security environment.

Agile methodology is reality-driven and, inherently, your enemy is already using it. Paul describes Agile’s essential principles as “based in technical excellence, good design, motivated individuals and empowered, self-organized teams.” This session is an ideal starting point for understanding Agile methods and how they can serve a cloud security environment.

Security researchers from ESET, a security software company, presented findings on the intersection of cyber, risk and gender. Lysa Myers and Stephen Cobb, CISSP, reviewed numerous studies that indicated that white males perceived less risk than the rest of the population, termed “the white male effect.” Most of the industry in the U.S. fit these demographics, yet, cybersecurity professionals tend to see more risk in technology than their peers.

Juliette Kayyem, author of Security Mom, was Tuesday’s keynote speaker at Security Congress and shared about her experiences as a terrorism expert for the U.S. Department of Homeland Security. She spoke about minimizing risk and maximizing defenses, and understanding that you’re never going to get your risk or vulnerability to zero. While much of cybersecurity work focuses on prevention and preparation (“left of boom” policies), there also needs to be a focus on the response and recovery efforts when an incident does occur. Juliette Kayyem offers five important steps to building a more resilient system and what we all need to do to “keep calm and carry on.”

We’re expecting another sell out at this year’s Security Congress in New Orleans. Early bird registration is now open – including discounts for (ISC)² members, students and groups. Save your spot now and we’ll see you in N’awlins this October!

I decided on a career in cybersecurity when my email account was first compromised in 2011. I learned about this when my friends and family called to ask if I had sent out emails asking for money. As an engineer-in-training, I was curious to know why and how this had happened. It was through this experience that I first became interested in information security.

Why did you get your SSCP®?

My former boss at the Kansas City Chiefs said to me one day that we will always need more knowledge in the department. He encouraged me to take any IT certification exams that I could. As I previously stated, I was interested in information security and had already earned my Security+, so the SSCP was a good next step for me. I took the CISSP exam after passing my SSCP exam and am currently an Associate of (ISC)² working toward achieving my full status as a CISSP.

What is a typical day like for you?

I currently work in the Security Operations Center (SOC) tier 1 and tier 2 issues that come in. Issues may involve log reviews, firewall configuration and monitoring network traffic, for example. Most recently, I have been tasked with the Data Loss Prevention Program. In short, as a team, we are all responsible in maintaining a secure infrastructure via administrative, technical and physical controls.

Can you tell us about a personal career highlight?

The first is I received an offer from the Kansas City Chiefs Football Club to work for them. The second was receiving an offer from the National Security Agency. In short, I have been processed by the NSA. To go through full-scope polygraph and PAB (Psychological Assessment Battery) was unique experience. There is nothing else like it.

How has the SSCP certification helped you in your career?

I believe the SSCP was a step in the right direction in demonstrating to my potential employers that one, I take information security seriously, and two, I can be trusted. To take any certification involves time and money. What I mean by that is this: it takes time to prepare for the exam, and time and money to sit through an exam. It is the process that the employers look for.

What is the most useful advice you have for other information security professionals?

Personal growth and professional development are important to me. One has to pick and choose the right place that one wishes to work. There are many organizations out there where all they want you to do is to keep your seat warm. Sure, it’s a steady paycheck, but it will stunt your skill-set, and can hurt your career.

Information security is unlike information technology. It is why security is in its own department, and why the department would report to CISO. Security is a challenging and lucrative career. However, be mindful of what this is all about, because at the end of the day, information security is a service. It is about people helping people.

As cyber threats proliferate, organizations looking to fill cybersecurity vacancies need to take concrete steps to reboot recruiting and hiring efforts. Qualified candidates for cybersecurity jobs are scarce and getting scarcer, creating a challenge for companies to properly defend themselves against threats. By 2022, an estimated 1.8 million cybersecurity jobs will go unfilled, according to research by (ISC)2.

It’s a classic supply-and-demand challenge, with too many vacancies for too few candidates. Currently it takes 55% of organizations at least three to six months to fill a cybersecurity vacancy, and 32% spend even more time to find qualified candidates, ISACA has found. In the United States, 27% of companies say they cannot fill cybersecurity vacancies.

To reverse this trend, employers should work on offering attractive compensation packages and creating a career advancement path for qualified candidates. Cybersecurity workers are more likely to accept jobs with companies willing to invest in training and education to update their cybersecurity skills. And as revealed in a recent (ISC)2 report, a greater investment in technology to protect against cyber threats also is needed, since 51% IT workers in charge of security fear their organizations aren’t prepared enough to respond to cyberattacks.

Employers also should work on expanding the talent pipeline, identifying candidates from other fields who can quickly adapt to the cybersecurity profession and stepping up recruitment efforts in demographics that traditionally have been underserved for cybersecurity work – millennials and women. Tapping these sizable talent pools could help reduce the skills shortage.

The State of Cybersecurity Employment

Skills gaps have persisted in the IT industry for decades; something industry trade organization CompTIA has sought to address along the way. At least eight in 10 of U.S. businesses feel adverse effects of this shortage, according to CompTIA. The problem is especially acute – and worrisome because of what’s at stake – in cybersecurity.

The U.S. Bureau of Labor Statistics estimates the number of IT security jobs is expected to have increased 18% by 2024, but as (ISC)2 has discovered, there will be nowhere near enough skilled candidates to fill those jobs. ISACA has found one in five organizations draw fewer than five candidates for each cybersecurity position.

Meanwhile, cyber threats get progressively worse, becoming more frequent and damaging. Studies suggest many organizations need to better prepare to address the cybersecurity challenge. For instance, a Crowd Research Partners study released in early 2017 shows 62% of respondents had moderate to no confidence in their security measures.

The Recruitment Challenge

What makes cybersecurity recruiting such a vexing challenge? It’s a confluence of factors:

Cybersecurity careers remain relatively novel. Most cybersecurity professionals (87%) start out in different work. A student envisioning a technology career is more apt to think about web or mobile app development, not protecting an organization from cyber attacks. However, this dynamic is changing rapidly as colleges expand their cybersecurity curricula, and the cybersecurity field matures.

Hiring practices are problematic. Admittedly, when demand far exceeds supply, even the best recruiters will struggle. That isn’t to say improvements are impossible. Protracted hiring processes can discourage jobseekers, who will find employment elsewhere. In a highly competitive market, hiring must be quick and efficient. Another issue is too often the people recruiting and hiring lack cybersecurity expertise, which can make it difficult to identify the right candidate.

Employers have unrealistic expectations. Employers need to make sure descriptions for cybersecurity positions accurately match the knowledge, skills and abilities the role requires. (ISC)2 research indicates this is an area for improvement, and the same is true of employers’ investment in training and certifications. Only about one-third of respondents (34%) said their company pays for all of their cybersecurity training.

Women are underrepresented. Female cybersecurity workers remain relatively rare. In North America, only 14% of the region’s cybersecurity professionals are women. That compares with 10% in Asia-Pacific, 9% in Africa, 8% in Latin America and 7% in Europe.

Millennials also are scarce. Millennials make up a small fraction of the cybersecurity job market. Millennials are a diverse group with a strong interest in training, mentorship and apprenticeships, areas in which too many of today’s budget-conscious employers could do a better job.

High Stakes

Solving the cybersecurity hiring challenge will take time and effort. In the short term, employers can make progress by adjusting their hiring expectations, streamlining the recruitment process and tapping underserved talent pools.

There’s a lot at stake because organizations need to protect their critical IT assets. As threats proliferate, new tools to combat those threats become available. Companies need to invest in those technologies and the people who run them. This is an ongoing endeavor, which will benefit from upfront investments in hiring and recruiting and in skills development for members of the cybersecurity team. Keeping the skills of cybersecurity workers up to date is essential to the execution of an effective cybersecurity strategy.

How to Attract Qualified Candidates

Successfully filling cybersecurity jobs in such a wildly competitive field takes a refined approach. Here are some recommendations for employers to follow during the recruitment process:

Invest in training and certifications.

Investment in cybersecurity skills through training and certification benefits both the individual and the employer. The cybersecurity field is evolving rapidly to keep up with an ever-changing threat landscape, so security workers need ongoing training to update their skills. Training also has a positive effect on retention. Workers will be less tempted to seek employment elsewhere if they believe their current employers understand the importance of skills development.

Offer career advancement.

Employees view career advancement opportunities as a reason to grow professionally with their employers.. That’s true of any field, including cybersecurity. Too often, employers resist advancing workers when they are doing a good job because they want to protect the organization. But this may have the effect of demoralizing employees who deserve to move up as well as those behind them who are ready take over their positions. Employers should offer advancement paths based on clearly defined achievements and goals, and make that known during the recruitment and hiring process.

Engage cybersecurity workers in decision-making.

Employers are more likely to attract cybersecurity talent by correctly setting expectations and defining responsibilities. This means clearly articulating you recognize the role of cybersecurity professionals is primarily to advise senior management on how to minimize risk. (ISC)2 has found employers often ignore advice from workers in charge of IT security, with only about one-third (35%) of those workers saying management follows their advice. Employers should be realistic with cybersecurity jobseekers about the organization’s culture and willingness to accept advice, all of which directly contribute to the success of the cybersecurity program. Position the cybersecurity role as a valued contributor and advisor to leadership, but don’t oversell it.

Fine-tune recruitment processes.

As already noted, protracted hiring processes discourage job applicants. Managers can improve the likelihood of hiring the best candidates by making a decision as quickly as possible, and not forcing candidates to wait for an answer for weeks or months. To streamline processes, HR and cybersecurity managers should work together to maintain a pool of resumes they can use when needing to fill a vacancy. In addition, keeping staffers with cybersecurity expertise involved in the hiring process is crucial to hiring the best-qualified candidates.

Target untapped talent.

Millennials and women are a largely untapped talent pool for cybersecurity. Employers can get a jump on the talent market by reaching out to female and millennial candidates, both internally and externally. Another area worthy of exploring is to identify professionals in other fields, such as communications, accounting and law enforcement, who could easily adapt to cybersecurity work. The more diverse your cybersecurity team, the more likely it is to develop effective, innovative practices and approaches to the defense of your IT environment. Homogeneous teams tend to get stuck in repeating tired practices, sometimes even after those practices become ineffective.

Partner with school districts and universities.

The IT industry – and by extension the cybersecurity field – can partly address skills gaps by forging partnerships with schools. Getting students interested in cybersecurity in their formative years is an investment in the future, and there are multiple ways to accomplish this:

Sponsor and participate in career days.

Offer internships and apprenticeships.

Actively participate in the educational process with guest lectures at local schools.

Sponsor field trips to data centers and other locations where students can meet cybersecurity workers.

Offer scholarships to deserving students, and target girls and other groups that are underrepresented in the industry.

Offer attractive compensation packages.

Competitive pay isn’t the only way to attract good talent – especially among millennials, who also put a premium on corporate values and career development. Still, compensation is a major factor. When talent is so scarce, employers may have no choice but to offer compensation above the average, coupled with an attractive benefits package and bonus schedule. Employers should also make it a practice to adjust compensation for existing cybersecurity staff to prevent poaching.

Competition for cybersecurity talent is fierce and will get more intense in years to come, as employers try to fill positions from a limited talent pool. In the meantime, cyber threats are likely to continue getting worse, adding pressure to fill vacancies. Organizations need to adopt hiring and recruitment best practices, promote from within when possible, and partner with educational institutions to find and develop cybersecurity talent. Hiring cybersecurity workers is a major challenge that shouldn’t be ignored because there’s so much at stake.

(ISC)² will soon have a report, based on survey research, on how job seekers – and those hiring – can come together to help mitigate the challenge of hiring in cybersecurity. Stay tuned!

We know that @SANSInstitute Critical Security Controls #1 and #2 are hardware inventory and software inventory. Security teams need these for vuln management, incident response, and CTI. If IT doesn't have these inventories should security teams foot the bill to create them?

So I went to the Apple Genius Bar to pick up a repaired iPhone.
At the same time, the guy next to me is verbally giving his username and password to the Genius helping him.
After he says his credentials he goes on to say he hopes he doesn’t get hacked.
Only if he knew ;-)